SSL installation via certbot - jigneshpshah/greycube_helpmanual GitHub Wiki

[A] Remove certbot-auto and install certbot

One time setup : root user

sudo apt update
sudo apt install snapd
sudo snap install core; sudo snap refresh core
sudo apt-get remove certbot
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Ref:https://certbot.eff.org/lets-encrypt/ubuntubionic-nginx

B] Get certificate : frappe user

$ bench config dns_multitenant on
$ sudo service nginx stop

(1)$ sudo certbot certonly --standalone
It will ask questions..domain name.ex
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): abc.xyz.com

it would give output..like below..note the certificate path generated and ensure same is in site_config.json
   /etc/letsencrypt/live/abc.xyz.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/abc.xyz.com/privkey.pem
ensure same is in site_config.json
(2)frappe@vmi494576:~/frappe-bench/sites/abc.xyz.com$ nano site_config.json

"ssl_certificate":"/etc/letsencrypt/live/abc.xyz.com/fullchain.pem",
"ssl_certificate_key":"/etc/letsencrypt/live/abc.xyz.com/privkey.pem"

bench --site demo14.greycube.in set-config ssl_certificate `sslpath`
bench --site demo14.greycube.in set-config ssl_certificate_key `keypath`

(2.2) take backup of nginx
/frappe-bench/config$ cp nginx.conf nginx.conf_mar_2


(3)~/frappe-bench$ bench setup nginx
(4)/frappe-bench$ sudo service nginx start
(5)~/frappe-bench$ sudo service nginx reload  <-- **donot forget**

Ref:https://discuss.erpnext.com/t/certbot-auto-replaced-with-certbot/67692

to view certificate

certbot certificates

ref:
https://certbot.eff.org/docs/using.html#:~:text=You%20can%20use%20certonly%20or,Certbot%20updates%20the%20existing%20certificate.

[c] Auto renewal

Login as root or a user with superuser privileges 
and run: date (you will get client's time zone like:CEST etc.)
then run crontab -e and enter:
Set time zone from: [Set time zone](https://www.worldtimebuddy.com/)
MAILTO="[email protected]"
# run every first friday of month at 12:30 midnight
30 0 1-7 * 5 && sudo service nginx stop && sudo certbot renew --quiet && sudo service nginx start
# renew letsencrypt certificates on 1st Monday of every month and get an email if it gets executed
# 0 0 1-7 * * [ "$(date '+\%a')" = "Mon" ] && sudo service nginx stop && sudo certbot renew && sudo service nginx start
# renew letsencrypt certificates on 1st Sunday of every month and get an email if it gets executed
MAILTO="[email protected]"
30 1 1-7 * 7 sudo service nginx stop && sudo certbot renew && sudo service nginx start

# renew letsencrypt certificates on 1st Friday of every month and get an email if it gets executed
30 1 1-7 * 5 sudo service nginx stop && sudo certbot renew && sudo service nginx start

MAILTO="[email protected],[email protected]"
# run at 2:30 early morning saudi arabia time(CEST) on 1st and 3rd friday of every month
30 1 1-7 * * [ $(date +\%u) = 5 ] && sudo service nginx stop && sudo certbot renew && sudo service nginx start
30 1 15-21 * * [ $(date +\%u) = 5 ] && sudo service nginx stop && sudo certbot renew && sudo service nginx start

[D] DELETE CERTIFICATE

certbot revoke --cert-path /etc/letsencrypt/live/CERTNAME/cert.pem

certbot delete --cert-name example.com

OR
`sudo certbot delete --cert-name example.com`

once deleted need to run bench setup nginx

[E] Renew single CERTIFICATE

`sudo certbot renew --cert-name domain1.com

https://eff-certbot.readthedocs.io/en/stable/using.html#certbot-command-line-options

[F] some errors https://codewithkarani.com/2022/08/03/unknown-log-format-main-nginx/

Rename site

  • create A record pointing to new.greycube.in
  • create SSL for new.greycube.in
  • update site_config.json with
"ssl_certificate":"/etc/letsencrypt/live/new.greycube.in/fullchain.pem",
"ssl_certificate_key":"/etc/letsencrypt/live/new.greycube.in/privkey.pem",
"host_name": "new.greycube.in"
  • cd sites
  • mv old.greycube.in new.greycube.in
  • cd ..
  • sudo certbot delete --cert-name old.greycube.in
  • sudo service nginx stop
  • bench setup nginx
  • sudo service nginx start

[G] from IP to URL

It is IP based access
rename site to url 
backup conf folder nginx and superviosr
B] Get certificate : frappe user
[c] Auto renewal

[H] failure like below even when nginx is stopped

Performing the following challenges:
http-01 challenge for nafess.etqantco.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Could not bind TCP port 80 because it is already in use by another process on
this system (such as a web server). Please stop the program in question and then
try again.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(R)etry/(C)ancel: R
Waiting for verification...
Challenge failed for domain nafess.etqantco.com
http-01 challenge for nafess.etqantco.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: nafess.etqantco.com
  Type:   unauthorized
  Detail: 5.189.177.84: Invalid response from https://nafess.etqantco.com/.well-known/acme-challenge/GXqs8lxdLpAjSLiRLFXR8JmvzM-ZO5p9rpxDyc1hMOA: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

sol note the URL is https and not http

sudo certbot certonly --standalone --debug-challenges -v
⚠️ **GitHub.com Fallback** ⚠️